SharpHound2
SharpHound2 copied to clipboard
BloodHoundAD
GPOs with multiple owners
Hi,
We noticed that BloodHound gives an incorrect output; it shows that multiple users owns 1 policy, which is not possible.
The following tool is used: https://www.microfocus.com/en-us/products/netiq-group-policy-administrator/overview and might be causing some issues.
PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-GPO -Name "Default Domain Controllers Policy"
DisplayName : Default Domain Controllers Policy
DomainName : xxxxxxxxx
Owner : XXX\FUNCTIONAL_ACCOUNT
Id : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 20/04/2002 10:46:22 AM
ModificationTime : 13/12/2018 11:03:36 AM
UserVersion : AD Version: 10, SysVol Version: 10
ComputerVersion : AD Version: 179, SysVol Version: 179
WmiFilter :
I investigated more and found out the json exports correctly have the multiple domain policies with the same name and different GUIDs.
However, when I query Neo4j DB directly, it only returns 1 object with that name.
Actually, it looks like in the OU collection, the GPO is referenced by name as well:
Extract from ous json:
[...]
{
"Properties" : {
"name" : "DOMAIN [email protected]",
"highvalue" : false,
"blocksinheritance" : false
},
"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"ChildOus" : [],
"Computers" : ["COMPUTER1.SUB.DOMAIN", "COMPUTER2.SUB.DOMAIN", "COMPUTER3.SUB.DOMAIN", "COMPUTER4.SUB.DOMAIN"],
"Users" : [],
"Links" : [{
"IsEnforced" : false,
"Name" : "DEFAULT DOMAIN CONTROLLERS [email protected]"
}
],
"Aces" : null
}
[...]
Below a redacted extract of the gpos:
[...]
{
"Properties" : {
"highvalue" : false
},
"Name" : "DEFAULT DOMAIN CONTROLLERS [email protected]",
"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx01",
"Aces" : [{
"PrincipalName" : "[email protected]",
"PrincipalType" : "user",
"RightName" : "Owner",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN [email protected]",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN [email protected]",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}
]
}, {
"Properties" : {
"highvalue" : false
},
"Name" : "DEFAULT DOMAIN CONTROLLERS [email protected]",
"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx02",
"Aces" : [{
"PrincipalName" : "[email protected]",
"PrincipalType" : "user",
"RightName" : "Owner",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN [email protected]",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN [email protected]",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}
]
}
[...]
SharpHound should add the Guid property when collection GPO links with OUs: https://github.com/BloodHoundAD/SharpHound/blob/c26b0556bd7d15e7e4c8fb948e32d268321100e6/Sharphound2/Enumeration/ContainerHelpers.cs#L147